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DETAILED ACTION 

1. Applicant's amendment filed on Oct. 31, 2007 has been entered. Claims 1, 2, 4-6, 8-15, 18- 
22, 24 are pending. Claims 1,5, 13 are amended by the applicant. 

Claim Rejections - 35 USC § 101 

35 U.S.C. 101 reads as follows: 

Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new 
and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title. 

2. Claims 13-15, 18-20 are rejected under 35 U.S.C. 101 because the claimed invention is 
directed to non-statutory subject matter. 

Claim 13 recites, "Security control apparatus for controlling the security of a network server from 
unauthorized content contained in a message received from a user of said server, the apparatus 
comprising: means for intercepting said message....; means for examining said message....; means 

for receiving....; a means for retrieving....; means for examining ; means for determining ; 

means for preventing said ; means for allowing ". The claimed apparatus direct to software 

programs/routines [Absence of an explicit and deliberate definition in the specification that the 
routines must be implemented in hardware or a combination of hardware/software, specification page 
3 paragraph 013, 0025] which do not show the physical transformation. Therefore, the claimed 
"apparatus" would amount to computer programs, a type of functional descriptive material, per se. As 
such, the claimed apparatus must include the hardware necessary to realize any of the functionality 
of the claimed routines and produce a useful, concrete and tangible result. Absent recitation of such 
hardware as part of the claimed apparatus, it is considered non-statutory. 
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Claim Rejections - 35 USC § 103 

The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all obviousness 
rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set forth in section 
102 of this title, if the differences between the subject matter sought to be patented and the prior art are such that the 
subject matter as a whole would have been obvious at the time the invention was made to a person having ordinary skill 
in the art to which said subject matter pertains. Patentability shall not be negatived by the manner in which the 
invention was made. 

3. Claims 1, 2, 4-6, 8-15, 18-22, 24 are rejected under 35 U.S.C. 103(a) as being unpatentable 
over Reshef et al (US Patent No. 6,584,569) in view of Steele et al (US Pub. No. 2003/0191737) and 
in view of Wagner (US Patent No. 6,085,224). 

As per claim 1 , Reshef teaches: 

examining the messages that flow between a client browser and a server hosting the web application, 
intercepting said message before any content of said message is processed by said server [Fig. 2A, 
2C, col. 5 lines 1-4]; examining said message to determine if it contains one or more unauthorized 
elements [Fig. 2A, 2C, col. 7 lines 18-67, col. 8 lines 1-12, col. 9 lines 32-51], the examining 
comprising: receiving an identification of an execution program set to be used to process said 
message received [col. 9 lines 60-67, col. 10 table 1]; retrieving an identification of all message types 
associated with said execution program set; examining said message received by said server in 
relation to said message types associated with said execution program set [col. 10 table 1, lines 26- 
61, col. 9 lines 32-58]. 
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Reshef teaches intercepting the message (HTTP request/response, which includes an entirety of a 
string of text based information) before any content of the message is processed by said server [Fig. 
2A, col. 5 lines 1-4, Fig. 4, 5] and examining/analyzing the message to detect the unauthorized 
elements [Fig. 2A, 2C, col. 6 lines 26-67, col. 7 lines 51-67, col. 8 lines 1-34]. 

Steele teaches: the message (HTTP request/response) includes information entered for constructing 
a query to access data of the server that includes an entirety of a string of text based information 
entered by a user into a web page provided by the server directly incorporated therein [Fig. 9A-9C, 
10]. 

Therefore, it would have been obvious to a person of ordinary skill in the art at the time the invention 
was made to combine Steels with Reshef to realize that the message (HTTP request/response) 
includes the information entered by the user into the web page, since one would have been motivated 
to detect security vulnerabilities in a web application [Reshef, col. 2 lines 18-20, 32-34, 44-46]. 

Wagner teaches: 

determining if said message received by said server contains an unauthorized element in relation to 
the corresponding message type for said message received; if it is determined that said message 
contains an unauthorized element preventing said message received from being processed by said 
server; if it is determined that said message does not contain an unauthorized element allowing said 
message received to be processed by said server [Fig. 1, col. 7 lines 44, col. 15 lines 42-67, col. 16 
lines 1-42]. 
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Therefore, it would have been obvious to a person of ordinary skill in the art at the time the invention 
was made to combine Wagner with Reshef and Steels, since one would have been motivated to 
prevent the execution of interpretive language programs or commands [Wagner, col. 3 lines 45-46]. 

As per claim 2 , the rejection of claim 1 is incorporated and Wagner teaches if it is determined that 
said message received contains an unauthorized element, preventing said message received from 
being processed by said server, and causing an error notification to be sent to said user [col. 4 lines 
62-67, col. 16 lines 34-47]. 

As per claim 4 , the rejection of claim 1 is incorporated and is rejected for the same reason set forth in 
the rejection of claim 2 above. 

As per claim 5 , it encompasses limitations that are similar to limitations of claim 1 . Thus, it is rejected 
with the same rationale applied against claim 1 above. 

As per claim 6 , the rejection of claim 5 is incorporated and is rejected for the same reason set forth in 
the rejection of claim 2 above. 

As per claim 8 , the rejection of claim 5 is incorporated and is rejected for the same reason set forth in 
the rejection of claim 2 above. 

As per claim 9 , the rejection of claim 8 is incorporated and further Wagner teaches: 

if it is determined that said message received does not contain an unauthorized element, allowing 

said message received to be processed by said serve [Fig. 1 , 5, 6]. 
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As per claim 10 , the rejection of claim 1 is incorporated and Wagner teaches the message comprising 
a name value pair [col. 15 lines 51-62, Fig. 3]. 

As per claim 1 1 , the rejection of claim 1 is incorporated and Wagner teaches said element comprises 
one or more of the following items: an instruction, a command, a character, a parameter, a token, or a 
string of any of said previous items [col. 15 lines 51-62, Fig. 3]. 

As per claim 12 , the rejection of claim 1 1 is incorporated and further Wagner teaches: 

said element is interpretable as an instruction or command by said server [col. 15 lines 51-62, Fig. 3]. 

As per claim 13 , it is an apparatus claim corresponds to a method claim 1 and is rejected for the 

same reason set forth in the rejection of claim 1 above. 

As per claim 14 , the rejection of claim 13 is incorporated and Reshef teaches: 

network server comprises an Internet network server and said message is received over the Internet 

by said server from a user [Fig. 2C]. 

As per claim 15 , the rejection of claim 13 is incorporated and is rejected for the same reason set forth 
in the rejection of claim 2 above. 

As per claims 18 and 19 , the rejection of claims 13 and 18 are incorporated and are rejected for the 
same reason set forth in the rejection of claims 10 and 1 1 above. 

As per claim 20 . the rejection of claim 19 is incorporated and is rejected for the same reason set forth 
in the rejection of claim 12 above. 

As per claim 21 . the rejection of claim 1 is incorporated and Reshef teaches: 

the message types are chosen from the group consisting of: single token; string; multiple tokens 
without keywords: OR, UNION and SEMI-COLON; multiple tokens without keywords: UNION and 
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SEMI-COLON; multiple tokens without keywords: SEMI-COLON; and multiple tokens without 
restriction [col. 9 lines 40-45, col. 10 table 1]. 

As per claim 22 , the rejection of claim 5 is incorporated and is rejected for the same reason set forth 
in the rejection of claim 21 above. 

As per claim 24 , the rejection of claim 1 is incorporated and Steele teaches the query is a database 
query that includes an entirety of the information entered by the user into a field of the web page [Fig. 
9A-9C, 10]. 

Response to Amendment 

4. This written action is responding to the Request for Continued Examination (RCE) dated Oct. 
31, 2007. Applicant has amended claims 1, 5, 13, which necessitated new ground of rejection. A new 
reference by Steele et al is found and used in combination with various previously cited prior art. 
Steele teaches the message (HTTP request/response) includes information entered for constructing a 
query to access data of the server that includes an entirety of a string of text based information 
entered by a user into a web page provided by the server directly incorporated therein [Fig. 9A-9C, 
10]. Further, Reshef teaches intercepting the message (HTTP request/response, which includes an 
entirety of a string of text based information) before any content of the message is processed by said 
server [Fig. 2A, col. 5 lines 1-4, Fig. 4, 5, Fig. 2A, 2C, col. 6 lines 26-67, col. 7 lines 51-67, col. 8 lines 
1-34]. Therefore, the combination of Reshef, Steele and Wagner teaches the claim limitation. See 
new grounds of rejection above. 

Conclusion 

5. The prior art made of record and not relied upon is considered pertinent to applicant's 
disclosure. 
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Shannon (US 6233618) — Access control of networked data 

Any inquiry concerning this communication or earlier communications from the examiner 
should be directed to NIRAV PATEL whose telephone number is (571)272-5936. The examiner can 
normally be reached on 8 am - 4:30 pm (M-F). 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's supervisor, 
Kim Vu can be reached on 571-272-3859. The fax phone number for the organization where this 
application or proceeding is assigned is 571-273-8300. 

Information regarding the status of an application may be obtained from the Patent Application 
Information Retrieval (PAIR) system. Status information for published applications may be obtained 
from either Private PAIR or Public PAIR. Status information for unpublished applications is available 
through Private PAIR only. For more information about the PAIR system, see http://pair- 
direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the 
Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a 
USPTO Customer Service Representative or access to the automated information system, call 800- 
786-9199 (IN USA OR CANADA) or 571-272-1000. 

NBP 

4/4/08 

/KIMYEN VU/ 

Supervisory Patent Examiner, Art Unit 2135 



